chore: task role assume role (#5476)

CaptainCarpensir · web-flow · commit 15c1f15bbe1c · 2023-12-04T22:01:25.000Z
Implements the first of two planned methods to retrieve TaskRole credentials for `run local` containers



By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.
diff --git a/internal/pkg/cli/errors.go b/internal/pkg/cli/errors.go
@@ -163,3 +163,25 @@ func (e *errPipelineDependsOnEnv) RecommendActions() string {
 or run %s to delete the pipeline before running %s to delete the environment`,
 		e.pipeline, e.env, color.HighlightCode(fmt.Sprintf("copilot pipeline delete -n %s", e.pipeline)), color.HighlightCode(fmt.Sprintf("copilot env delete -n %s", e.env)))
 }
+
+type errTaskRoleRetrievalFailed struct {
+	chainErrs []error
+}
+
+func (e *errTaskRoleRetrievalFailed) Error() string {
+	return errors.Join(e.chainErrs...).Error()
+}
+
+func (e *errTaskRoleRetrievalFailed) RecommendActions() string {
+	return fmt.Sprintf(`TaskRole retrieval failed. You can manually add permissions for your account to assume TaskRole by adding the following YAML override to your service:
+%s
+For more information on YAML overrides see %s`,
+		color.HighlightCodeBlock(`- op: add
+  path: /Resources/TaskRole/Properties/AssumeRolePolicyDocument/Statement/-
+  value:
+    Effect: Allow
+    Principal:
+      AWS: "arn:aws:iam::[app-account-ID]:root"
+    Action: 'sts:AssumeRole'`),
+		color.Emphasize("https://aws.github.io/copilot-cli/docs/developing/overrides/yamlpatch/"))
+}
diff --git a/internal/pkg/cli/flag.go b/internal/pkg/cli/flag.go
@@ -72,6 +72,7 @@ const (
 	proxyFlag          = "proxy"
 	proxyNetworkFlag   = "proxy-network"
 	watchFlag          = "watch"
+	useTaskRoleFlag    = "use-task-role"
 
 	// Flags for CI/CD.
 	githubURLFlag         = "github-url"
@@ -326,6 +327,7 @@ Example: --port-override 5000:80 binds localhost:5000 to the service's port 80.`
 	proxyFlagDescription        = `Optional. Proxy outbound requests to your environment's VPC.`
 	proxyNetworkFlagDescription = `Optional. Set the IP Network used by --proxy.`
 	watchFlagDescription        = `Optional. Watch changes to local files and restart containers when updated.`
+	useTaskRoleFlagDescription  = "Optional. Run containers with TaskRole credentials instead of session credentials."
 
 	svcManifestFlagDescription = `Optional. Name of the environment in which the service was deployed;
 output the manifest file used for that deployment.`
diff --git a/internal/pkg/cli/run_local.go b/internal/pkg/cli/run_local.go
@@ -98,6 +98,7 @@ type runLocalVars struct {
 	envName       string
 	envOverrides  map[string]string
 	watch         bool
+	useTaskRole   bool
 	portOverrides portOverrides
 	proxy         bool
 	proxyNetwork  net.IPNet
@@ -436,6 +437,23 @@ func (o *runLocalOpts) getTask(ctx context.Context) (orchestrator.Task, error) {
 		return orchestrator.Task{}, fmt.Errorf("get env vars: %w", err)
 	}
 
+	if o.useTaskRole {
+		taskRoleCredsVars, err := o.taskRoleCredentials(ctx)
+		if err != nil {
+			return orchestrator.Task{}, fmt.Errorf("retrieve task role credentials: %w", err)
+		}
+
+		// overwrite environment variables
+		for ctr := range envVars {
+			for k, v := range taskRoleCredsVars {
+				envVars[ctr][k] = envVarValue{
+					Value:  v,
+					Secret: true,
+				}
+			}
+		}
+	}
+
 	containerDeps := o.getContainerDependencies(td)
 
 	task := orchestrator.Task{
@@ -629,6 +647,46 @@ func sessionEnvVars(ctx context.Context, sess *session.Session) (map[string]stri
 	return env, nil
 }
 
+func (o *runLocalOpts) taskRoleCredentials(ctx context.Context) (map[string]string, error) {
+	// assumeRoleMethod tries to directly call sts:AssumeRole for TaskRole using default session
+	// calls sts:AssumeRole through aws-sdk-go here https://github.com/aws/aws-sdk-go/blob/ac58203a9054cc9d901429bdd94edfc0a7a1de46/aws/credentials/stscreds/assume_role_provider.go#L352
+	assumeRoleMethod := func() (map[string]string, error) {
+		taskDef, err := o.ecsClient.TaskDefinition(o.appName, o.envName, o.wkldName)
+		if err != nil {
+			return nil, err
+		}
+
+		taskRoleSess, err := o.sessProvider.FromRole(aws.StringValue(taskDef.TaskRoleArn), o.targetEnv.Region)
+		if err != nil {
+			return nil, err
+		}
+
+		return sessionEnvVars(ctx, taskRoleSess)
+	}
+
+	// ecsExecMethod tries to use ECS Exec to retrive credentials from running container
+	ecsExecMethod := func() (map[string]string, error) {
+		return nil, errors.New("ecs exec method not implemented")
+	}
+
+	credentialsChain := []func() (map[string]string, error){
+		assumeRoleMethod,
+		ecsExecMethod,
+	}
+
+	// return TaskRole credentials from first successful method
+	var errs []error
+	for _, method := range credentialsChain {
+		vars, err := method()
+		if err == nil {
+			return vars, nil
+		}
+		errs = append(errs, err)
+	}
+
+	return nil, &errTaskRoleRetrievalFailed{errs}
+}
+
 type containerEnv map[string]envVarValue
 
 type envVarValue struct {
diff --git a/internal/pkg/cli/run_local_test.go b/internal/pkg/cli/run_local_test.go
@@ -203,6 +203,7 @@ type runLocalExecuteMocks struct {
 	ecsClient      *mocks.MockecsClient
 	store          *mocks.Mockstore
 	sessCreds      credentials.Provider
+	sessProvider   *mocks.MocksessionProvider
 	interpolator   *mocks.Mockinterpolator
 	ws             *mocks.MockwsWlDirReader
 	mockMft        *mockWorkloadMft
@@ -268,6 +269,7 @@ func TestRunLocalOpts_Execute(t *testing.T) {
 	}
 
 	taskDef := &awsecs.TaskDefinition{
+		TaskRoleArn: aws.String("mock-arn"),
 		ContainerDefinitions: []*sdkecs.ContainerDefinition{
 			{
 				Name: aws.String("foo"),
@@ -328,6 +330,7 @@ func TestRunLocalOpts_Execute(t *testing.T) {
 		},
 	}
 	alteredTaskDef := &awsecs.TaskDefinition{
+		TaskRoleArn: aws.String("mock-arn"),
 		ContainerDefinitions: []*sdkecs.ContainerDefinition{
 			{
 				Name: aws.String("foo"),
@@ -429,6 +432,52 @@ func TestRunLocalOpts_Execute(t *testing.T) {
 			"AWS_SESSION_TOKEN":     "myEnvToken",
 		},
 	}
+	expectedTaskRoleTask := orchestrator.Task{
+		Containers: map[string]orchestrator.ContainerDefinition{
+			"foo": {
+				ImageURI: "image1",
+				EnvVars: map[string]string{
+					"FOO_VAR": "foo-value",
+				},
+				Secrets: map[string]string{
+					"SHARED_SECRET":         "secretvalue",
+					"AWS_ACCESS_KEY_ID":     "taskRoleID",
+					"AWS_SECRET_ACCESS_KEY": "taskRoleSecret",
+					"AWS_SESSION_TOKEN":     "taskRoleToken",
+					"AWS_DEFAULT_REGION":    testRegion,
+					"AWS_REGION":            testRegion,
+				},
+				Ports: map[string]string{
+					"80":  "8080",
+					"999": "9999",
+				},
+				IsEssential: true,
+				DependsOn: map[string]string{
+					"bar": "start",
+				},
+			},
+			"bar": {
+				ImageURI: "image2",
+				EnvVars: map[string]string{
+					"BAR_VAR": "bar-value",
+				},
+				Secrets: map[string]string{
+					"SHARED_SECRET":         "secretvalue",
+					"AWS_ACCESS_KEY_ID":     "taskRoleID",
+					"AWS_SECRET_ACCESS_KEY": "taskRoleSecret",
+					"AWS_SESSION_TOKEN":     "taskRoleToken",
+					"AWS_DEFAULT_REGION":    testRegion,
+					"AWS_REGION":            testRegion,
+				},
+				Ports: map[string]string{
+					"777":   "7777",
+					"10000": "10000",
+				},
+				IsEssential: true,
+				DependsOn:   map[string]string{},
+			},
+		},
+	}
 
 	testCases := map[string]struct {
 		inputAppName       string
@@ -437,6 +486,7 @@ func TestRunLocalOpts_Execute(t *testing.T) {
 		inputEnvOverrides  map[string]string
 		inputPortOverrides []string
 		inputWatch         bool
+		inputTaskRole      bool
 		inputProxy         bool
 		buildImagesError   error
 
@@ -467,6 +517,20 @@ func TestRunLocalOpts_Execute(t *testing.T) {
 			},
 			wantedError: errors.New(`get task: get env vars: parse env overrides: "bad:OVERRIDE" targets invalid container`),
 		},
+		"error retrieving task role credentials": {
+			inputAppName:  testAppName,
+			inputWkldName: testWkldName,
+			inputEnvName:  testEnvName,
+			inputTaskRole: true,
+			setupMocks: func(t *testing.T, m *runLocalExecuteMocks) {
+				m.ecsClient.EXPECT().TaskDefinition(testAppName, testEnvName, testWkldName).Return(taskDef, nil)
+				m.ssm.EXPECT().GetSecretValue(gomock.Any(), "mysecret").Return("secretvalue", nil)
+				m.ecsClient.EXPECT().TaskDefinition(testAppName, testEnvName, testWkldName).Return(taskDef, nil)
+				m.sessProvider.EXPECT().FromRole("mock-arn", testRegion).Return(nil, errors.New("some error"))
+			},
+			wantedError: errors.New(`get task: retrieve task role credentials: some error
+ecs exec method not implemented`),
+		},
 		"error reading workload manifest": {
 			inputAppName:  testAppName,
 			inputWkldName: testWkldName,
@@ -743,6 +807,39 @@ func TestRunLocalOpts_Execute(t *testing.T) {
 				}
 			},
 		},
+		"success, one run task call, taskrole assumerole method": {
+			inputAppName:  testAppName,
+			inputWkldName: testWkldName,
+			inputEnvName:  testEnvName,
+			inputTaskRole: true,
+			setupMocks: func(t *testing.T, m *runLocalExecuteMocks) {
+				m.ecsClient.EXPECT().TaskDefinition(testAppName, testEnvName, testWkldName).Return(taskDef, nil)
+				m.ssm.EXPECT().GetSecretValue(gomock.Any(), "mysecret").Return("secretvalue", nil)
+				m.ecsClient.EXPECT().TaskDefinition(testAppName, testEnvName, testWkldName).Return(taskDef, nil)
+				taskRoleSess := &session.Session{
+					Config: &aws.Config{
+						Credentials: credentials.NewStaticCredentials("taskRoleID", "taskRoleSecret", "taskRoleToken"),
+						Region:      aws.String(testRegion),
+					},
+				}
+				m.sessProvider.EXPECT().FromRole("mock-arn", testRegion).Return(taskRoleSess, nil)
+				m.ws.EXPECT().ReadWorkloadManifest(testWkldName).Return([]byte(""), nil)
+				m.interpolator.EXPECT().Interpolate("").Return("", nil)
+
+				errCh := make(chan error, 1)
+				m.orchestrator.StartFn = func() <-chan error {
+					errCh <- errors.New("some error")
+					return errCh
+				}
+				m.orchestrator.RunTaskFn = func(task orchestrator.Task, opts ...orchestrator.RunTaskOption) {
+					require.Equal(t, expectedTaskRoleTask, task)
+				}
+				m.orchestrator.StopFn = func() {
+					require.Len(t, errCh, 0)
+					close(errCh)
+				}
+			},
+		},
 		"handles ctrl-c, waits to get all errors": {
 			inputAppName:  testAppName,
 			inputWkldName: testWkldName,
@@ -959,6 +1056,7 @@ func TestRunLocalOpts_Execute(t *testing.T) {
 				ssm:            mocks.NewMocksecretGetter(ctrl),
 				secretsManager: mocks.NewMocksecretGetter(ctrl),
 				store:          mocks.NewMockstore(ctrl),
+				sessProvider:   mocks.NewMocksessionProvider(ctrl),
 				interpolator:   mocks.NewMockinterpolator(ctrl),
 				ws:             mocks.NewMockwsWlDirReader(ctrl),
 				mockRunner:     mocks.NewMockexecRunner(ctrl),
@@ -978,6 +1076,7 @@ func TestRunLocalOpts_Execute(t *testing.T) {
 					envName:      tc.inputEnvName,
 					envOverrides: tc.inputEnvOverrides,
 					watch:        tc.inputWatch,
+					useTaskRole:  tc.inputTaskRole,
 					portOverrides: portOverrides{
 						{
 							host:      "777",
@@ -1007,6 +1106,7 @@ func TestRunLocalOpts_Execute(t *testing.T) {
 				ssm:            m.ssm,
 				secretsManager: m.secretsManager,
 				store:          m.store,
+				sessProvider:   m.sessProvider,
 				sess: &session.Session{
 					Config: &aws.Config{
 						Credentials: credentials.NewStaticCredentials("myID", "mySecret", "myToken"),
